Cloudflare’s “Cloudbleed”: What Your Organization Can Learn

Cloudflare, an online infrastructure company, recently discovered that a security flaw in its coding has led to a leak of sensitive data affecting approximately 3,400 websites.

This incident is similar to (though smaller in scale than) one that happened in 2014, involving a bug called “Heartbleed.” For this reason, Google Project Zero researcher Tavis Ormandy half-jokingly dubbed Cloudflare’s bug “Cloudbleed.”

The major takeaway for companies is, indeed, a refrain of the warnings that followed from the Heartbleed incident: Those who rely solely on their cloud service providers for security are putting their data at risk. Organizations must be vigilant in implementing their own privacy and security controls that reinforce their data protection.

An example of effective reinforcement comes from password manager service 1Password, developed by AgileBits. Shortly after Cloudflare’s disclosure of the Cloudbleed bug, AgileBits posted a message reassuring customers that their data remained secure. There could do this because the 1Password service uses three-layer encryption rather than relying entirely on the compromised SSL/TLS layer.

Companies relying on the privacy of sensitive information online should prioritize building and maintaining proper encryption structures. Further, organizations must ensure that their cloud partners are upholding the security of their data once it changes servers. This is a capability that can and should be assessed by an experienced cyber security consultant.

Finally, for companies that do rely on third parties for security, managed security platforms with continuous monitoring and threat intelligence capabilities are a great option for enhancing your security position. State-of-the-art SOC resources and highly-skilled security analysts can help you make sure your customers don’t fall victim to a massive breach, even when the next Cloudbleed comes knocking.